PDA

View Full Version : [CLOSED] Editable Grid permits script injection



mcareysencha
9 Nov 2011, 3:55 PM
While doing some testing, we discovered that the following string can be placed in a field for an Editable Grid, and the script will run. You can replicate this by going to the live example (we did it in Firefox 3.6.24) and placing the string in a field of the Common Name column. When the field loses focus and returns to its non-editing state, the script is evaluated and an alert pops up.

<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

Theoretically, if the developer doesn't safeguard their data storage and retrieval, the next person to edit the field could inadvertently trigger a script.


REQUIRED INFORMATION


Ext version tested:


Ext 4..0.7



Browser versions tested against:


FF3 (firebug 1.3.0.10 installed)



Description:


Placing a script node in an editable grid field causes the script to be evaluated.



Steps to reproduce the problem:


Place the above script string in a field on the editable grid example and cause the field to lose focus.



The result that was expected:


No action.



The result that occurs instead:


An alert with the message "XSS" appears.

evant
9 Nov 2011, 4:32 PM
See: http://www.sencha.com/forum/showthread.php?146084-ComboBox-does-not-HTML-escape-entries-in-drop-down&highlight=combo